Full_Name: Benjamin Rosenbaum
Version: 2.3.5
OS: NT 4.0
Submission from: bastel.eunet.ch (146.228.10.31)
Hi,
I am using Apache/1.3.6 (Win32), mod_ssl/2.3.5, OpenSSL/0.9.3a
under Windows NT 4.0.
I have a problem very similar to the one that Jeffrey Burgoyne
was having in the "No common encryption algorithms" thread on the
modssl-users list (found in the MARC archive). When I turn SSLEngine on
in <VirtualHost _default_:443> and go there (from the same machine)
with https://localhost or https://localhost:143 or https://127.0.0.1,
my Netscape 4.05 browser says that the browser and the server "cannot
communicate securely because they have no common encryption algorithm."
The error_log (for the secure virtual host) has:
[Wed Jul 14 17:23:30 1999] [error] mod_ssl: SSL handshake failed (client
127.0.0.1, server 192.168.0.163:443) (OpenSSL library error follows)
[Wed Jul 14 17:23:30 1999] [error] OpenSSL: error:1408A0C1:SSL
routines:SSL3_GET_CLIENT_HELLO:no shared cipher
In Jeffrey's case, this turned out to be a matter of the wrong
hostname: he changed "the hostname on the machine" to match what
he was using in his browser. In my case, I have set these both to
be the same, this has not helped.
Perhaps OpenSSL does a variety of security checks - e.g. reverse
DNS? - and if anything is weird, gives that "no shared cipher" error?
Like Jeffrey, I can connect fine with openssl s_client. Here's the output:
D:\APACHE\webserver>openssl s_client -connect 192.168.0.165:443 -quiet
depth=0 /C=XY/ST=Snake Desert/L=Snake Town/O=Snake Oil, Ltd/OU=Webserver
Team/CN
[EMAIL PROTECTED]
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=XY/ST=Snake Desert/L=Snake Town/O=Snake Oil, Ltd/OU=Webserver
Team/CN
[EMAIL PROTECTED]
verify error:num=21:unable to verify the first certificate
verify return:1
Here's the output of "openssl ciphers":
D:\APACHE\webserver>openssl ciphers
EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:IDEA-CBC-SHA:RC4-SHA:RC4-
MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:DES-CBC3-MD5:IDEA-CBC-MD
5:RC2-CBC-MD5:RC4-MD5:RC4-64-MD5:DES-CBC-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS
-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5:EXP-RC2-CBC-MD5:EXP-RC4
-MD5
Seems like that would be enough - even for version 4.05 of Netscape! ;-)
Here's the relevant sections of my httpd.conf:
<IfDefine SSL>
Listen 80
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
</IfDefine>
<IfModule mod_ssl.c>
SSLPassPhraseDialog builtin
SSLSessionCache dbm:logs/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex sem
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLLog logs/ssl_engine_log
SSLLogLevel info
</IfModule>
<IfDefine SSL>
<VirtualHost _default_:443>
# General setup for the virtual host
DocumentRoot htdocs-ssl
ServerName 192.168.0.165
#ServerAdmin [EMAIL PROTECTED]
ErrorLog logs/error_log_ssl
TransferLog logs/access_log_ssl
SSLEngine on
SSLCipherSuite ALL
SSLCertificateFile conf/ssl.crt/snakeoil-dsa.crt
SSLCertificateKeyFile conf/ssl.key/snakeoil-dsa.key
SSLCACertificateFile conf/ssl.crt/ca-bundle.crt
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
</IfDefine>
The regular http:// on port 80 is working fine.
I get an even less helpful error message trying to connect
to the https:// host with IE 4.72("Im Support des sicheren
Channels ist ein Fehler aufgetreten" - it's a German copy).
I can't think of anything else to try. Any help will be *greatly*
appreciated.
Thanks,
- Benjamin Rosenbaum
[EMAIL PROTECTED]
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
